Modeling Data Protection and Privacy: Application and Experience with GDPR

[en] In Europe and indeed worldwide, the Gen- eral Data Protection Regulation (GDPR) provides pro- tection to individuals regarding their personal data in the face of new technological developments. GDPR is widely viewed as the benchmark for data protection and privacy regulations that harmonizes data privacy laws across Europe. Although the GDPR is highly ben- e cial to individuals, it presents signi cant challenges for organizations monitoring or storing personal infor- mation. Since there is currently no automated solution with broad industrial applicability, organizations have no choice but to carry out expensive manual audits to ensure GDPR compliance. In this paper, we present a complete GDPR UML model as a rst step towards de- signing automated methods for checking GDPR compli- ance. Given that the practical application of the GDPR is infuenced by national laws of the EU Member States,we suggest a two-tiered description of the GDPR, generic and specialized. In this paper, we provide (1) the GDPR conceptual model we developed with complete trace- ability from its classes to the GDPR, (2) a glossary to help understand the model, (3) the plain-English de- scription of 35 compliance rules derived from GDPR along with their encoding in OCL, and (4) the set of 20 variations points derived from GDPR to specialize the generic model. We further present the challenges we faced in our modeling endeavor, the lessons we learned from it, and future directions for research.

Centre de recherche :

Interdisciplinary Centre for Security, Reliability and Trust (SnT) > Software Verification and Validation Lab (SVV Lab)

Disciplines :

Sciences informatiques

Auteur, co-auteur :

TORRE, Damiano ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SVV

ALFEREZ, Mauricio ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SVV

SOLTANA, Ghanem ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT)

SABETZADEH, Mehrdad ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SVV

BRIAND, Lionel ; University of Luxembourg > Interdisciplinary Centre for Security, Reliability and Trust (SNT) > SVV

Co-auteurs externes :

Langue du document :

Anglais

Titre :

Modeling Data Protection and Privacy: Application and Experience with GDPR

Date de publication/diffusion :

2021

Titre du périodique :

Software and Systems Modeling

ISSN :

1619-1366

eISSN :

1619-1374

Maison d'édition :

Springer, Allemagne

Peer reviewed :

Peer reviewed vérifié par ORBi

Focus Area :

Security, Reliability and Trust

Intitulé du projet de recherche :

IMOREF

Organisme subsidiant :

FNR - Fonds National de la Recherche

Disponible sur ORBilu :

depuis le 30 septembre 2021

Statistiques

Nombre de vues

317 (dont 37 Unilu)

Nombre de téléchargements

991 (dont 28 Unilu)

Voir plus de statistiques

citations Scopus^®

citations Scopus^®
sans auto-citations

OpenCitations

citations OpenAlex

citations WoS^™

Bibliographie

Alpaydin, E.: Machine Learning: The New AI. MIT Press (2016)
Arora, C., Sabetzadeh, M., Briand, L.C., Zimmer, F.: Extracting domain models from natural-language requirements: Approach and industrial evaluation. In: Proceedings of the 19th IEEE/ACM International Conference on Model Driven Engineering Languages and Systems (MoDELS’16), pp. 250–260 (2016)
Ayala-Rivera, V., Pasquale, L.: The grace period has ended: An approach to operationalize GDPR requirements. In: Proceedings of 31st IEEE International Conference on Requirements Engineering (RE’18), pp. 136–146 (2018)
Brambilla, M., Cabot, J., Wimmer, M.: Model-Driven Software Engineering in Practice, 2nd edn. Morgan & Claypool Publishers (2016)
Breaux, T.: Exercising due diligence in legal requirements acquisition: A tool-supported, frame-based approach. In: Proceedings of 17th IEEE International Conference on Requirements Engineering (RE’09), pp. 225–230 (2009)
Burmeister, F., Drews, P., Schirmer, I.: A privacy-driven enterprise architecture meta-model for supporting compliance with the general data protection regulation. In: Bui, T. (ed.) 52nd Hawaii International Conference on System Sciences, HICSS 2019, Grand Wailea, Maui, Hawaii, USA, January 8–11, 2019, pp. 1–10. ScholarSpace (2019)
Cabot, J., Clarisó, R., Riera, D.: UMLtoCSP: A tool for the formal verification of UML/OCL models using constraint programming. In: Proceedings of the 22nd IEEE/ACM International Conference on Automated Software Engineering (ASE’07), pp. 547–548 (2007)
Caramujo, J., Rodrigues da Silva, A., Monfared, S., Ribeiro, A., Calado, P., Breaux, T.: RSL-IL4Privacy: A domain-specific language for the rigorous specification of privacy policies. Requir. Eng. 24(1), 1–26 (2019)
Chung, P.W., Cheung, L.Y., Machin, C.H.: Compliance flow—managing the compliance of dynamic and complex processes. Knowl. Syst. 21(4), 332–354 (2008) DOI: 10.1016/j.knosys.2007.11.002
Clements, P., Northrop, L.: Software Product Lines: Practices and Patterns. Addison-Wesley (2001)
Diamantopoulou, V., Angelopoulos, K., Pavlidis, M., Mouratidis, H.: A metamodel for gdpr-based privacy level agreements. In: Cabanillas, C., España, S., Farshidi, S. (eds.) Proceedings of the ER Forum 2017 and the ER 2017 Demo Track co-located with the 36th International Conference on Conceptual Modelling (ER 2017), Valencia, Spain, - November 6–9, 2017, CEUR Workshop Proceedings, vol. 1979, pp. 285–291. http://CEUR-WS.org (2017)
Emmerich, W., Finkelstein, A., Montangero, C., Antonelli, S., Armitage, S., Stevens, R.: Managing standards compliance. IEEE Trans. Softw. Eng. 25(6), 836–851 (1999) DOI: 10.1109/32.824413
EU-GDPR: EU GDPR portal (2019). https://eugdpr.org
European Union: The GDPR: New opportunities, new obligations. Justice and Consumers (2018)
European Union: General data protection regulation. Official Journal of the European Union (2018). http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679
France, R., Rumpe, B.: Model-driven development of complex software: A research roadmap. In: Proceedings of 2007 Workshop on the Future of Software Engineering (FOSE ’07), pp. 37–54 (2007)
Ghanavati, S., Rifaut, A., Dubois, E., Amyot, D.: Goal-oriented compliance with multiple regulations. In: Proceedings of 22nd IEEE International Conference on Requirements Engineering (RE’14), pp. 73–82 (2014)
Guarda, P., Ranise, S., Siswantoro, H.: Security analysis and legal compliance checking for the design of privacy-friendly information systems. In: Proceedings o 22nd ACM on Symposium on Access Control Models and Technologies (SACMAT’17), pp. 247–254 (2017)
Hajri, I., Goknil, A., Briand, L.C., Stephany, T.: PUMConf: a tool to configure product specific use case and domain models in a product line. In: Proceedings of the 24th ACM SIGSOFT International Symposium on Foundations of Software Engineering (FSE’16), pp. 1008–1012 (2016)
Hajri, I., Göknil, A., Briand, L.C., Stephany, T.: Configuring use case models in product families. Softw. Syst. Model. 17(3), 939–971 (2018) DOI: 10.1007/s10270-016-0539-8
Ingolfo, S., Siena, A., Mylopoulos, J.: Nòmos 3: Reasoning about regulatory compliance of requirements. In: Proceedings of 22nd IEEE International Requirements Engineering Conference (RE’14), pp. 313–314 (2014)
Manning, C.D., Schütze, H.: Foundations of Statistical Natural Language Processing. MIT Press (2001)
OMG: Object Constraint Language - Version 2.4 (2017). https://www.omg.org/spec/OCL/2.4/PDF
OMG: Unified Modeling Language - Superstructure Version 2.5.1 (2017). https://www.omg.org/spec/UML/2.5.1/PDF
Panesar-Walawege, R.K., Sabetzadeh, M., Briand, L.C.: Supporting the verification of compliance to safety standards via model-driven engineering: approach, tool-support and empirical validation. Inf. Softw. Technol. 55(5), 836–864 (2013) DOI: 10.1016/j.infsof.2012.11.009
Pullonen, P., Tom, J., Matulevicius, R., Toots, A.: Privacy-enhanced BPMN: enabling data privacy analysis in business processes models. Softw. Syst. Model. pp. 1–30 (2019)
Rabinia, A., Ghanavati, S., Humphreys, L., Hahmann, T.: A methodology for implementing the formal legal-grl framework: a research preview. In: Madhavji, N., Pasquale, L., Ferrari, A., Gnesi, S. (eds.) Requirements Engineering: Foundation for Software Quality, pp. 124–131. Springer International Publishing, Cham (2020) DOI: 10.1007/978-3-030-44429-7_9
Ranise, S., Siswantoro, H.: Automated legal compliance checking by security policy analysis. In: Computer Safety, Reliability, and Security (SAFECOMP’17 Workshops), pp. 361–372 (2017)
Sannier, N., Adedjouma, M., Sabetzadeh, M., Briand, L.C.: An automated framework for detection and resolution of cross references in legal texts. Requir. Eng. 22(2), 215–237 (2017) DOI: 10.1007/s00766-015-0241-3
Shum, S.B., Hammond, N.: Argumentation-based design rationale: what use at what cost? Int. J. Hum.-Comput. Stud. 40(4), 603–652 (1994) DOI: 10.1006/ijhc.1994.1029
Sing, E.: A meta-model driven method for establishing business process compliance to gdpr. Master’s thesis, University of Tartu (2019)
Sleimi, A., Sannier, N., Sabetzadeh, M., Briand, L.C., Dann, J.: Automated extraction of semantic legal metadata using natural language processing. In: Proceedings of 26th IEEE International Requirements Engineering Conference (RE’18), pp. 124–135 (2018)
Soltana, G., Fourneret, E., Adedjouma, M., Sabetzadeh, M., Briand, L.C.: Using UML for modeling procedural legal rules: Approach and a study of luxembourg’s tax law. In: Dingel, J., Schulte, W., Ramos, I., Abrahão, E. Insfrán (eds.) Model-Driven Engineering Languages and Systems - 17th International Conference, MODELS 2014, Valencia, Spain, September 28 - October 3, 2014. Proceedings, Lecture Notes in Computer Science, vol. 8767, pp. 450–466. Springer (2014)
Soltana, G., Sabetzadeh, M., Briand, L.C.: Practical model-driven data generation for system testing. arXiv preprint (arXiv:1902.00397) (2019). https://arxiv.org/pdf/1902.00397.pdf
Soltana, G., Sannier, N., Sabetzadeh, M., Briand, L.C.: Model-based simulation of legal policies: framework, tool support, and validation. Softw. Syst. Model. 17(3), 851–883 (2018) DOI: 10.1007/s10270-016-0542-0
Tankard, C.: What the GDPR means for businesses. Netw. Secur. 6, 5–8 (2016) DOI: 10.1016/S1353-4858(16)30056-3
Tom, J., Sing, E., Matulevičius, R.: Conceptual representation of the GDPR: model and application directions. In: Perspectives in Business Informatics Research, pp. 18–28 (2018)
Torre, D., Abualhaija, S., Sabetzadeh, M., Briand, L.C., Baetens, K., Goes, P., Forastie, S.: An AI-assisted approach for checking the completeness of privacy policies against GDPR. In: Proceedings of 28th IEEE International Conference on Requirements Engineering (RE’20) (2020)
Torre, D., Alferez, M., Soltana, G., Sabetzadeh, M., Briand, L.: Model Driven Engineering for Data Protection and Privacy: Application and Experience with GDPR - Appendix (2021). https://doi.org/10.5281/zenodo.4564856
Torre, D., Labiche, Y., Genero, M., Elaasar, M.: A systematic identification of consistency rules for UML diagrams. J. Syst. Softw. 144, 121–142 (2018) DOI: 10.1016/j.jss.2018.06.029
Torre, D., Soltana, G., Sabetzadeh, M., Briand, L.C., Auffinger, Y., Goes, P.: Using models to enable compliance checking against the GDPR: an experience report. In: 22nd ACM/IEEE International Conference on Model Driven Engineering Languages and Systems, MODELS 2019, Munich, Germany, September 15-20, 2019, pp. 1–11 (2019)
van Lamsweerde, A.: Requirements Engineering - From System Goals to UML Models to Software Specifications. Wiley (2009)
Zeni, N., Kiyavitskaya, N., Mich, L., Cordy, J.R., Mylopoulos, J.: GaiusT: supporting the extraction of rights and obligations for regulatory compliance. Requir. Eng. 20(1), 1–22 (2015) DOI: 10.1007/s00766-013-0181-8